A security flaw in the Lighttpd web server impacting BMCs remains unpatched by Intel and Lenovo.

The vulnerability was fixed by Lighttpd maintainers in 2018 but was missed by AMI MegaRAC BMC developers due to lack of a CVE identifier.

Affected Intel and Lenovo products contain an out-of-bounds read vulnerability, risking sensitive data exposure and security bypass.

Intel and Lenovo have not addressed the flaw because the affected products are now end-of-life and no longer receive security updates.

The situation highlights the dangers of outdated third-party components in firmware and the extended risk to the industry.